The Time Has Come to Automate Supply Chain Security

Updated: Oct 12


By Chris Blask, Global Director Industrial and IoT Security at Unisys, (CS)²AI Fellow

October, 2020


Maintaining visibility into the inventory of assets, supplies, and products entering and leaving industrial operations has been a key to reliable operations since the dawn of infrastructure. The proliferation of digital devices combined with the advantages of adaptive supply chains has put a sharp point on the need to evolve this practice significantly. Initiatives across public and private sectors over the past decade have laid the groundwork for the automation of high-surety attestation sharing among supply chain partners, with early adopters leveraging these systems to gain competitive advantages today.

Tracking any item in a supply chain comes down to three simple questions:

 - What is being written?

 - Where is it being written?

 - Who gets to read it?

With digital assets being used throughout industrial systems at increasing rates, and these assets becoming increasingly complex and capable, the traditional manual methods of tracking have been overwhelmed by volume and speed. Individual supply chain operators have evolved bespoke solutions to the challenges presented, but these do not translate upstream to their suppliers or downstream to their customers. Critical issues such as locating and remediating flawed software, hardware, or materials is still done with manual effort of individuals searching documents and exchanging emails.

Due to a variety of related efforts over the past ten years, answers to these three supply chain questions have been developed that together form a functional system of attestation, sharing, and policy that is today being used by supply chain partners. Industrial operators and the subject matter experts they work with should begin integrating these structures into operational planning and execution of public and private systems.

“What is being written?” - The necessity for reliable provenance for software has led to common taxonomies to describe sources and components. The Linux Foundation Software Package Data Exchange (SPDX) program has developed mature common taxonomies for open source software, which are being used in the US Department of Commerce Software Bill of Materials (SBOM) initiative alongside taxonomies from MITRE and ISO. There is workable agreement on What is to be written down to share attestations.

“Who gets to read it?” - The necessity to ensure compliance with GDPR data privacy laws has led Bosch and partners to develop a policy framework for the handling of sensitive data produced and consumed by IoT devices. The Digital Trust Forum (DTF) provides a policy framework that is being applied to the creation and management of supply chain data shared in public and private channels, to answer the question of Who gets to read What.

“Where is it being written?” - The Digital Bill of Materials (DBoM) Consortium is a Linux Foundation project that provides the backbone for attestation sharing among supply chain partners, created by Unisys in partnership with the aforementioned entities and other supply chain operators. Open source DBoM Node software will be available through the project in Q4 2020 to enable any organization to create or participate in attestation-sharing channels with supply chain partners. 

This common backbone answers the question of Where attestations can be shared. The DBoM Consortium will maintain processes to select common taxonomies so partners know What they are sharing, and common policy structures that ensure only those Who are authorized can access them.

The economic drivers of Industry 4.0 and IIoT mandate the adoption of increasingly complex operational systems. To remain competitive industrial operators must reduce the effort needed to track an increasing quantity of assets, while increasing their ability to identify and remediate risks. If you have a duty to protect critical infrastructures, the time has come to automate the supply chains you rely on.